Authorization & Authentication

·3 min of lecture

The role of Authentication and Authorization on software development

Recently I found myself building an authentication system for a personal project. Along the way I learned a lot about common authentication approaches, and I want to share the key takeaways.

Authentication is a fundamental step you have to take into account when building a login/signup or simply if you want your app to handle multiple users. I know nowadays we have frameworks that do that for us, but I'm firm believer we as developers should know what's happening under the hood.

So... what is authentication and authorization? Aren't they the same?

They are not the same, they may seem similar but they are different and have different purposes depending on the use case. Authentication answers the following question: Who are you? and Authorization answers: What are you allowed to do?

Let's define each one and then look at a simple example.

Authentication

Authentication is the security process of validating who the user is? This process is done by asking for a password, biometrics, one-time codes. On more robust applications they use multi-factor authentication (MFA) to authenticate the identity of the user.

Authorization

Authorization is the security process of simply granting you permissions to a specific resource, action or place in your application, server, etc.

Authentication = identity. Authorization = access

Consider the following situation: you and three friends decide to go to a Radiohead concert. Like any concert, you buy tickets, but inside the event there are designated areas (VIP, General, etc.). For simplicity, let's stick with VIP and General.

When you were deciding which tickets to buy, one of your friends didn't have the money for a VIP ticket, so the group was split into two: two people going VIP and two going General.

On the day of the event, at the venue entrance, the bouncer asks for your ID and your ticket. Your ID proves you are who you say you are (identity—and sometimes age, depending on the event). Your ticket proves what areas you're allowed to access inside.

Takeaway: can you spot the authentication and authorization parts?

  • When the bouncer checks your ID, that's authentication (verifying your identity).
  • When they check your ticket type (VIP vs General), that’s authorization (verifying what you’re allowed to access).

I hope these concepts are clearer now. It’s important to understand the difference between them. You might be wondering: what does this have to do with login and signup in a web application? It has everything to do with it (at its core), that’s what login and signup are about.

Now that the concepts are clear, let’s talk about common authentication approaches in software development.